• THE 6TH CIRCUIT AFFIRMS THE COMPUTER FRAUD AND ABUSE CONVICTION OF AN IT EMPLOYEE

• Last week the Sixth Circuit Court of Appeals upheld the criminal conviction for the Computer Fraud and Abuse Act (“CFAA”) of an employee who stole confidential data from his employer’s computers. U.S. v. Batti, 2011 WL 111745 (6th Cir. Jan. 14, 2011). The issues on appeal were limited to whether the government had offered sufficient proof that the value of the data stolen exceeded $5,000 to qualify as a 5 year felony, 18 U.S.C. § 1030 (a)(2)(C)(c)(B)(iii), and whether the district court had abused its discretion in ordering restitution in the amount of $47,565.

• These limited issues precluded the Sixth Circuit from addressing the 9th Circuit’s decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009). Brekka stands for the proposition that because an employee has permission to use the company computers, he or she cannot violate the CFAA because an employee’s access to the computers is never “without authorization,” a critical element of the CFAA. However, the facts in Batti and the language in the decision provide clues as to how the 6th Circuit might ultimately rule on this issue.

Nick Akerman (212) 415-9217 akerman.nick@dorsey.com Nick is a partner in the New York office of Dorsey & Whitney. For additional articles like this one or to watch my one hour CLE seminar video go to: http://computerfraud.us Da • THE 6TH CIRCUIT AFFIRMS THE COMPUTER FRAUD AND ABUSE CONVICTION OF AN IT EMPLOYEE • Last week the Sixth Circuit Court of Appeals upheld the criminal conviction for the Computer Fraud and Abuse Act (“CFAA”) of an employee who stole confidential data from his employer’s computers. U.S. v. Batti, 2011 WL 111745 (6th Cir. Jan. 14, 2011). The issues on appeal were limited to whether the government had offered sufficient proof that the value of the data stolen exceeded $5,000 to qualify as a 5 year felony, 18 U.S.C. § 1030 (a)(2)(C)(c)(B)(iii), and whether the district court had abused its discretion in ordering restitution in the amount of $47,565. • These limited issues precluded the Sixth Circuit from addressing the 9th Circuit’s decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009). Brekka stands for the proposition that because an employee has permission to use the company computers, he or she cannot violate the CFAA because an employee’s access to the computers is never “without authorization,” a critical element of the CFAA. However, the facts in Batti and the language in the decision provide clues as to how the 6th Circuit might ultimately rule on this issue. • The defendant, Luay Batti, had been employed as an information technology employee at Campbell-Ewald, a Michigan advertising firm. The government’s proof of his intrusions into the company computers occurred both during his time as an employee and after his employment had been terminated. While he was still employed, the trial evidence showed that • Batti accessed Campbell-Ewald's computer server and copied confidential computer files belonging to Campbell-Ewald's CEO without authorization. Although these files were normally stored on the CEO's desktop computer, they had been moved by the company to the company's server while the CEO's computer was being replaced. Within these files were "confidential pieces of information ... including executive compensation, financial statements of the firm, goals and objectives for senior executives of the company reporting to the chairman, and some strategic plans. • Id. at *1. The court’s statement that Batti “accessed” his employer’s computer server and files “without authorization,” would tend to suggest that the court would not agree with the underlying assumption of Brekka that just because an employee has permission to use the company computers, he can never access the company computers “without Nick Akerman (212) 415-9217 akerman.nick@dorsey.com 2 authorization.” Batti, an IT employee, likely had permission to access Campbell-Ewald’s computers as part of his duties. • The court’s statement about Batti accessing the computer without authorization is only dicta, and Batti’s conviction was based on the additional proof that after he had been discharged “[t]he FBI determined that Batti had accessed Campbell-Ewald's confidential files no fewer than twenty-one times . . . , twice through a Campbell-Ewald server and nineteen times through the email account of another Campbell-Ewald employee.” Id. Thus, this proof would comport with Brekka’s holding that once employment had been terminated, the employee would no longer have permission to access the company computers, thereby making his access “without authorization.” Brekka, 581 F.3d at 1136. • Moreover, from the facts recited in the opinion, it is unclear whether Batti obtained information from the company computers during or after his employment. An additional element of the CFAA violation upon which he was convicted is the obtaining of information from the company computers that he had accessed without authorization. See, 18 U.S. C. § 1030(a)(2)(C) (one who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information” commits a crime). There is also no way to know precisely whether the 6th Circuit will join other Circuit Courts in rejecting Brekka, but the direction taken on Batti would seem to suggest it will.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

All the intelligence you need, in one easy email:

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.